Cloud Engineer Advanced Practice Exam: Hard Questions 2025

You are onboarding a newly acquired business unit. They require strict separation from existing teams, but central security must enforce org-wide policies (e.g., allowed regions, no public IPs by default) and provide standardized project creation. You also need a repeatable way for a platform team to create projects with preconfigured networks, logging, and billing linkage. What is the best design?

Your company uses a centralized Shared VPC host project for networking and multiple service projects for workloads. A new team needs to deploy GKE in a service project. The cluster must use subnets and secondary ranges in the host project, but the team must not receive broad permissions on the host project. What is the most secure way to enable this?

You are deploying a three-tier web app. The frontend must be globally available, the backend runs on managed instance groups in two regions, and the database is Cloud SQL. Requirements: (1) terminate TLS at the edge, (2) send traffic to the nearest healthy region, (3) keep backend instances private (no public IPs), and (4) minimize operational overhead. Which architecture best meets these requirements?

A fintech workload must process messages exactly once from a queue, and each message triggers a transaction that writes to Cloud Spanner. The processing service runs on GKE and must survive zonal failures. You observe duplicate writes during pod restarts and transient Spanner errors. You need an architecture and implementation approach that ensures correctness with minimal operational complexity. What should you do?

A stateful application runs on a regional managed instance group with attached persistent disks. After a maintenance event, you find instances recreated in a different zone and the application fails because data disks are not reattached. You must keep using MIG for autohealing, but ensure data is available after recreation with minimal manual steps. What should you do?

You deploy a Cloud Run service that calls a private REST API hosted on a Compute Engine VM with only an internal IP in a VPC. Requests from Cloud Run time out. You must keep the VM private and avoid exposing it publicly. What is the correct fix?

A production VM cannot download packages from the internet after you removed its external IP for security hardening. It is in a private subnet. You already created a Cloud NAT gateway, but egress still fails. Internal services are reachable. What is the most likely missing configuration?

You operate a microservices platform on GKE. A new release causes intermittent 503s only during deployments. You see that Pods are terminated while still serving requests, and the load balancer continues sending traffic to terminating Pods for a short time. You need to reduce user-visible errors without increasing deployment time significantly. What should you do?

Cloud Monitoring shows frequent high CPU alerts for a managed instance group, but user latency is normal. You find that the alerting policy uses a mean CPU utilization threshold across all instances. During traffic spikes, a subset of instances gets hot due to uneven request distribution, but the average stays below threshold. You need alerting that catches the hot instances and guides autoscaling decisions. What should you do?

A security team requires that only certain deployment pipelines can impersonate a privileged service account used to deploy to production. Developers must not be able to use that service account from their workstations, even if they have broad permissions in the project. The pipeline runs in Cloud Build. What is the best approach?